For the second time in the past six months, a district court has dismissed a lawsuit alleging procedural and technical violations of the Illinois biometric privacy statute for lack of Article III standing. InVigil v. Take-Two Interactive Software, Inc., No. 15-8211 (S.D.N.Y. Jan. 27, 2017), the court dismissed Illinois biometric privacy claims against a videogame maker related to a feature in the NBA 2K videogame series that allows users to scan their faces and create a personalized virtual avatar for in-game play. In a lengthy opinion, the New York court provided Take-Two with a resounding victory when it ruled that procedural violations of the notice and consent provisions of the Illinois biometric privacy statute are not in-of-themselves sufficient to confer standing.

Biometric technology such as facial recognition, iris scans, or fingerprint authentication is being used and further developed to improve the security of financial and other sensitive transactions. At the same time, social media sites, mobile apps, videogame developers and others are employing biometrics for other cutting edge uses to improve services. The current Vigil ruling is particularly important, however, as it may buoy companies that collect biometric data under reasonable notice and usage policies, as they hope that the approval applied in Vigil is affirmed, if appealed, and followed in other jurisdictions.

The case at hand concerned the MyPlayer feature in the NBA 2K15 and NBA 2K16 videogames, which allows users to scan their own faces to create personalized virtual basketball avatars for in-game play (including allowing multiplayer games, if the gamer so chooses). To create the avatars, the game platform’s cameras scan the user’s face and head from various angles and then convert this data into a virtual player that resembles the user.

If a user wants to use the MyPlayer function, he or she must agree to the following terms:

Your face scan will be visible to you and others you play with and may be recorded or screen captured during gameplay. By proceeding you agree and consent to such uses and other uses pursuant to the End User License Agreement. www.take2games.com/eula

The plaintiffs made no allegations that their faceprints were disseminated or used for any other purpose outside of the game (for which they gave consent). Rather, they contend that Take-Two failed to comply with various provisions of the Illinois Biometric Information Privacy Act, 740 Ill. Comp. Stat. 14/1 (“BIPA”). Specifically, the plaintiffs claimed, among other things, that Take-Two failed to provide adequate written notice about the game maker’s data retention policies with respect to the collection and use of the gamer’s faceprints and failed to use adequate security when transmitting faceprints.

In light of the Supreme Court’s Spokeo ruling in May 2016, the defendant moved to dismiss the action, contending that the plaintiffs did not have Article III standing based upon a lack of a concrete and particularized injury. The court granted the motion.

BIPA’s Storage and Dissemination Claims

Generally speaking, BIPA requires private entities to “store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity’s industry,” and to treat such identifiers and information as they would other sensitive and confidential information. See 740 Ill. Comp. Stat. 14/15(e). In examining the plaintiff’s claims, the court noted that there were no allegations that Take-Two disseminated or sold the plaintiff’s biometric data to third-parties or used the data in a manner unrelated to in-game play – in fact, the MyPlayer function operated exactly as anticipated, allowing a gamer to create personalized basketball avatars for in-game play. As such, the court ruled that the purported violations of BIPA were “at best, marginal,” and that the plaintiffs lacked standing to pursue claims for alleged bare procedural violations of the BIPA that did not rise to a material risk of harm that BIPA was designed to prevent. The court rejected the plaintiffs’ claim that Take-Two’s storage and transmission practices subjected their facial scans to an “enhanced risk of harm” of hacking or misuse, finding such claims too “speculative” and “abstract.” Even though the court recognized that biometric data is immutable and the risk associated with unlawful acquisition of facial scan data could be great, it found the plaintiff’s statutory claims lacking: “[T]he hypothetical magnitude of a highly speculative and abstract injury that is not certainly impending does not make the injury any less speculative and abstract.”

BIPA’s Notice and Consent Claims

The plaintiffs alleged that the notice and consent they received before creating a personalized avatar was insufficient because the MyPlayer feature terms and conditions did not specifically disclose the purpose of the scanning, or publish a biometric data retention schedule; the plaintiffs also claimed that their consent to use the MyPlayer feature was not embodied in a writing.

In rejecting that the plaintiff’s argument that the defendant harmed plaintiffs’ “right to information” about the game maker’s use of their facial scans, the court reasoned that BIPA’s disclosure and consent requirements were plainly designed to allow parties to set the contours for the permissible uses of the biometrics collected in the underlying transaction, which was what occurred in this case:

“The alleged failure to give the plaintiffs more extensive notice and consent is not a material risk to a concrete BIPA interest where no material risk of biometric data misuse ever materialized.”

“Unlike statutes where the provision of information about statutory rights, or matters of public concern, is an end itself, the BIPA’s notice and consent provisions do not create a separate interest in the right-to-information, but instead operate in support of the data protection goal of the statute.”

“Even without fully compliant notice and consent, no concrete BIPA interest can be harmed so long as the private entity only uses the biometrics collected as both parties intended.”

Ultimately, the court found the plaintiffs lacked standing because they failed to establish a material risk to the concrete interest protected by BIPA, namely, biometric data protection. In fact, the court stated that the difference between the actual notice and consent in this case, and that purportedly required by the BIPA, did not rise to more a bare procedural violation, insufficient for standing under Spokeo.

We will continue to monitor developments in biometric privacy and technology, including the ongoing Facebook litigation proceeding in California and any future legislative efforts to amend the Illinois statute.

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com intended to be a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional. NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us.

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558 Telephone (708) 357-3317 If you would ike to contact us via email please click here.